Domains and pulp_rpm

• Why?
  • Allow for isolation in multi-tenant installations
    • API access (via Domain-specific RBAC setup)
    • Artifact storage (Each Domain has its own storage)
  • Content-delivery is NOT domain-controlled
    • That's what ContentGuards are for

• How?
  • Users given Domain-specific RBAC access
  • Objects scoped to the Domain they are created in
  • Objects cannot be shared "cross-domain"
  • Storage specified per-domain
    • Pulp's de-duplication is NOT Cross-Domain
  • Activated by setting DOMAIN_ENABLED=True

• Caveats
  • Pulp will FAIL TO START unless all plugins support
  • Content- and API-urls change to include the domain
    • e.g., Content at /pulp/content/MYDOMAIN/foo-repo/
    • e.g., API at /pulp/MYDOMAIN/api/v3/remotes/
  • Some entities are NOT Domain-specific
    • Users, Groups, AccessPolicies, Roles

• Who has Domain support?
  • pulpcore/3.23+
  • pulp_file/1.13+
  • pulp_certguard/1.6+
  • pulp_rpm/3.22+
  • pulp_gem/0.4+

Demo!

Repository creation/access

• TRY: robert, create repo in default - FAIL, RBAC
• TRY: robert, create repo in private - SUCCESS, rpm.admin
• TRY: norm, read repo in default - FAIL, RBAC
• TRY: admin, update private-repo to use default-remote - FAIL, CROSS_DOMAIN

Demo!

Trying to access content via the API

• TRY: admin, find package-by-name in default - SUCCEED
• TRY: robert, find same package - FAIL, DOMAIN_SPECIFIC
• TRY: robert, upload same RPM to private-repo, then access - SUCCEED
• TRY: using wget on private-domain distribution - SUCCEED, no ContentGuard
• teardown

Show

#!/usr/bin/bash
echo ">>> Show USERS:"
echo "pulp user list | jq '.[] | .username'"
pulp user list | jq '.[] | .username'
echo ">>> Show DOMAINS:"
echo "pulp domain list | jq '.[] | {name, description}'"
pulp domain list | jq '.[] | {name, description, pulp_href}'
echo ">>> Show ROLES:"
for u in robert norm
do
    echo ">>> USER ${u}:"
    echo "pulp user role-assignment list \
        --username ${u} | jq '.[] | .role, .domain'"
    pulp user role-assignment list \
        --username ${u} | jq '.[] | {role, domain}'
done
echo ">>> Show REPOSITORIES:"
for d in $(pulp domain list | jq -r '.[] | .name')
do
    echo "pulp --domain ${d} repository list | jq '.[] | {name, pulp_href}'"
    pulp --domain "${d}" repository list | jq '.[] | {name, pulp_href}'
done

Setup

#!/usr/bin/bash
echo ">>> Create default Remote"
pulp rpm remote create \
    --name ${DEFAULT_REPO} \
    --url https://fixtures.pulpproject.org/rpm-signed/ \
    --policy on_demand
echo ">>> Create default Repository"
pulp rpm repository create --name ${DEFAULT_REPO} --remote ${DEFAULT_REPO} --autopublish     
echo ">>> Sync default Repository"
pulp rpm repository sync --name ${DEFAULT_REPO}
echo ">>> Create user 'robert'"
pulp user create --username robert --password ${ROBERT_PWD}
echo ">>> Create user 'norm'"
pulp user create --username norm --password ${NORM_PWD}
echo ">>> Create Domain ${PRIVATE_DOMAIN}"
pulp domain create \
    --name ${PRIVATE_DOMAIN} \
    --description "robert's domain" \
    --storage-class pulpcore.app.models.storage.FileSystem \
    --storage-settings "{\"MEDIA_ROOT\": \"/var/lib/pulp/media/\"}"
echo ">>> Give 'robert' rpm.admin in ${PRIVATE_DOMAIN}"
pulp user role-assignment add --username robert --role "rpm.admin" --domain ${PRIVATE_DOMAIN}
echo ">>> Role Assignments:"
for u in robert norm
do
    echo "USER ${u}:"
    pulp user role-assignment list --username ${u} | jq '.[] | .role, .domain'
done

Access Demo

#!/usr/bin/bash
echo ">>> TRY: robert, create repo in default - ERR..."
pulp --username robert --password ${ROBERT_PWD} rpm repository create --name ${PRIVATE_REPO} 
echo ">>> TRY: robert, create repo in private - SUCCEED..."
pulp --domain ${PRIVATE_DOMAIN} --username robert --password ${ROBERT_PWD} rpm repository create --name ${PRIVATE_REPO} --autopublish
pulp --domain ${PRIVATE_DOMAIN} --username robert --password ${ROBERT_PWD} rpm distribution create --name ${PRIVATE_REPO} --repository ${PRIVATE_REPO} --base-path ${PRIVATE_REPO}
echo ">>> TRY: norm, read repo in default - ERR..."
pulp --username norm --password ${NORM_PWD} rpm repository show --name ${DEFAULT_REPO}       
echo ">>> TRY: admin, copy content from default to private - ERR..."
export DEFAULT_REMOTE_HREF=$(pulp rpm remote show --name ${DEFAULT_REPO} | jq -r .pulp_href) 
pulp --domain ${PRIVATE_DOMAIN} rpm repository sync --repository ${PRIVATE_REPO} --remote ${DEFAULT_REMOTE_HREF}
echo ">>> TRY: admin, find package-by-name - SUCCEED..."
pulp rpm content list --name zebra
echo ">>> TRY: robert, find same name - ERR..."
pulp --username robert --password ${ROBERT_PWD} rpm content list --name zebra
echo ">>> TRY: robert, upload same-name RPM to private repo, then access artifact - SUCCEED..."
pulp --domain ${PRIVATE_DOMAIN} --username robert --password ${ROBERT_PWD} rpm content upload --repository ${PRIVATE_REPO} --file ./zebra-0.1-2.noarch.rpm
pulp --domain ${PRIVATE_DOMAIN} --username robert --password ${ROBERT_PWD} rpm publication create --repository ${PRIVATE_REPO}
pulp --domain ${PRIVATE_DOMAIN} --username robert --password ${ROBERT_PWD} rpm content list --name zebra
echo ">>> TRY: using wget on private-domain distribution - SUCCEED..."
http http://localhost:5001/pulp/content/private/private/

Teardown

#!/usr/bin/bash
# Delete created repos, users, and domains
echo ">>> Destroy ${PRIVATE_DOMAIN}-domain objects..."
pulp rpm repository destroy --name ${DEFAULT_REPO}
pulp rpm remote destroy --name ${DEFAULT_REPO}
echo ">>> Destroy ${PRIVATE_DOMAIN}-domain objects..."
pulp --domain ${PRIVATE_DOMAIN} rpm distribution destroy --name ${PRIVATE_REPO}
pulp --domain ${PRIVATE_DOMAIN} rpm repository destroy --name ${PRIVATE_REPO}
echo ">>> Destroy ${PRIVATE_DOMAIN}..."
pulp domain destroy --name ${PRIVATE_DOMAIN}
echo ">>> Destroy Users..."
pulp user destroy --username robert
pulp user destroy --username norm